Using Metadata v2
    • PDF

    Using Metadata v2

    • PDF

    Article summary

    Available in VPC

    Overview

    You can use the calling method of Metadata v2 to compensate for the SSRF security vulnerability of Metadata v1.

    • Metadata v1 - request/response method
    • Metadata v2 - session-oriented method

    Depending on the configuration of the server instance, you can use both v1 and v2, or only use v2.

    Metadata v1 security vulnerability

    When operating a service or running software on a server instance that can use the Metadata v1 method, additional measures and precautions may be required to prevent exposure of meta data (server or role data).
    If there is an SSRF vulnerability in the running service and you are not aware of it, you can call the Metadata API of the server instance from the outside and acquire meta data.
    In order to block these security vulnerabilities, you must change the Metadata version setting of the server instance to only use v2.
    The Metadata v2 method can protect meta data exposure due to SSRF vulnerabilities by issuing tokens through the PUT method and performing token authentication for Metadata API calls.

    Set the Metadata version of the server instance

    After creating the server instance, you can only change settings through the console.

    1. Connect to server console [Services > Compute > Server]
    2. Select version through the [Server management and configuration change > Metadata API management] menu
    • v1 and v2
      • Both v1 and v2 versions are available.
      • Classification of v1 and v2 methods depending on whether or not the token header is passed when calling the Metadata API
      • Performs request without authentication process when token header is not entered
      • Performs request including authentication of the header value passed when token header is entered
    • v2 (token required)
      • Only v2 version available
      • Required input of token header value when calling Metadata API

    Examples

    • Header
      • X-NCP-METADATA-TOKEN-TTL-SECONDS: header to set session duration (seconds) when issuing tokens (1 to 21600 seconds)
      • X-NCP-METADATA-TOKEN: header to deliver token issued when calling Metadata API

    Separate command

    [roor@test-server ~]# TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-NCP-METADATA-TOKEN-TTL-SECONDS: 21600"`
    
    [root@test-server ~]# curl -H "X-NCP-METADATA-TOKEN: $TOKEN" http://169.254.169.254/latest/meta-data
    

    Combined command

    [root@test-server ~]# TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-NCP-METADATA-TOKEN-TTL-SECONDS: 21600"` \
    && curl -H "X-NCP-METADATA-TOKEN: $TOKEN" http://169.254.169.254/latest/meta-data
    


    Note

    An error message may be stored in a variable if the token was not issued normally.
    Metadata API calls do not work properly in this case.

    Authentication error response

    [root@test-server ~]# curl -H "X-NCP-METADATA-TOKEN: wrong-token" -i http://169.254.169.254/latest/meta-data
    HTTP/1.1 401 401
    Date: Tue, 11 Apr 2023 02:42:02 GMT
    Server: Apache
    Referrer-Policy: unsafe-url
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/plain;charset=UTF-8
    
    Unauthorized.
    [root@test-server ~]#
    

    Was this article helpful?

    What's Next
    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.